Microsoft Releases Workplace Join for Windows 7 Test Software
Microsoft has released "workplace join" for Windows 7 at its Microsoft Connect portal.
Releases available through Microsoft Connect typically are test software. It's not clear when a production version will be available. The Windows 7 version of workplace join seems to be flying somewhat under the radar. Its availability was briefly announced on Tuesday in this Microsoft blog post.
Workplace join provides an alternative way for users to log onto a network and access company resources, instead of following the usual practice of establishing trust by domain-joining a device. Microsoft announced workplace join back in June as a bring-your-own-device type of Windows Server 2012 R2 feature for use with Windows 8.1 clients. Subsequent descriptions by Microsoft have suggested support for non-Windows devices, too, including those running Android and iOS, but it's not clear if support for those devices is available yet. If Microsoft ever mentioned support for Windows 7 with workplace join, it wasn't well publicized.
Workplace join specifically is a feature of Windows Server 2012 R2. It requires the use of Windows Azure Active Directory Federation Services plus Active Directory on premises. Also required is the use of the Device Registration Service, which is part of the "Federation Services Role on Windows Server 2012 R2," according to a TechNet library article description. The workplace join feature doesn't work for devices that connect to a corporate network via a reverse-proxy server, including Microsoft's "Web application proxy" feature of Windows Server 2012 R2, according to the TechNet article.
Microsoft Surface director Cyril Belikoff explained the workplace join concept late last year.
"Workplace joins are the access components of a directory service that allows a user to use their ID and password to access their corporate network documents and shares in a secure way," Belikoff said. "It's not a fully domained device but you get the administration of mobile device management and get the access component."
The edition of Windows 7 that's used with the workplace join feature makes a difference. "Workplace Join for Windows 7 is for domain joined machines, which means that we support the Professional SKU and above," Microsoft's announcement explained. Microsoft conceives of workplace join as enabling bring-your-own-device scenarios, with management enabled by Windows Intune.
"Domain Join is what we have had for a long time, tight admin control, group policy, desktop SSO etc.," explained Adam Hall, product manager for hybrid identity solutions at Microsoft, in the comments section of Microsoft's announcement. "Workplace Join is much lighter, and is about authenticating an unknown device like a Surface RT, iOS or Android device. We put a certificate on the device, and can challenge the device for this as part of claims based authentication to applications or other resources such as data, plus there is no admin control of the device, it remains under the control of the end user. When coupled with BYO device management with a solution like Windows Intune, you can apply policy, deploy apps and control access to resources on machines that you otherwise have no control over."
Microsoft describes workplace join with Windows 7 machines as working with no "user interface" and joining devices "automatically and silently," with the criterion that there is an Active Directory account for the end user on premises.
Microsoft early on described some management perks associated with workplace join, although the system requirements to get those benefits don't seem well outlined or they may require having a Windows Intune subscription. For instance, the feature can be enhanced with multifactor authentication and single sign-on capabilities. IT pros also can get auditing capabilities.
For those looking for step-by-step setup help for workplace join, Microsoft offers a general guide here. There's also specific guidance for Windows 8.1 machines in this blog post.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.